Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature

[jdglaser () NTOBJECTIVES COM (jdglaser)]

> You need better NT security books then.
I don't need better security books. It's the general public that depends on
that info.
How are they supposed to know? Follow every one of these posts? Dig up the
archives to double check the advice of a professional?

> I have to cry foul here.

That's why I said -widely- available.

> Look in Rutstein, pg 17 -
> "Unfortunately, the architecture of Intel-based computers [...] does not
allow for this attention sequence to be totally secure. [...]

I have. Please. There is a big difference in skill level between having to
write a driver and making use of an application level API that Microsoft
provides.

> The trust in the secure attention sequence, or any other part of the
operating system - LeBlanc

This time I totally disagree with David. Here's why. Let's classify attacks
and paranoia levels accordingly.

The are essentially 2 levels of protection in NT: ACL and Kernel mode.
 Because network overflows usually, easily, completely bypass ACL
protections,
an overflow in your mail server will pop you past ACL protection. It
doesn't necessarily pop you past kernel mode protections.

So if entry to a kernel mode piece is protected by application level ACL's,
it is a weaker form of protection. (Yes you can get past kernel mode
protection too, but it is a more sophisticated attack)

Since 99.99999% of all NT boxes are not/nor can be C2 compliant (because
they have functioning nics) this type of simple remote network attack can
be expected more so than those who wake up in the morning to find fully
trojaned kernel binaries. I am not too worried about seeing the second.

Based on the rash of network overflows lately that could allow for a Gina
type attack. I don't think this is out of line.

The ease/style of a Gina attack almost matches the ease/style of classic
Unix pop-up trojans. a Gina attack is simple, doesn't include a kernel
alteration and doesn't effect NT stability drastically.

To put a into place reliable, binary kernel system table patches requires a
few notches higher in kung-fu.

I think more attacks will take place based on things like the former, less
on things like the second.

This has little to do with the trust of the administrator. Most users are
admins of their local machines as well as domain members because companies
would come to a crawl if this were not so.

Like Mudge in another thread, it takes a combination of theory and
practice.

Reading Tomlinson's column may not change your mind, it will at least
enlighten you to make up your own decision.

I'm not going to discuss Win2000. I haven't fully investigated it yet.
Dependable 4.0 installs will be around for a little bit anyway.

However, Bravo an the RunAs thing.

jdg
My opinions do reflect those of my employer
NT OBJECTives, Inc.